Posted: 3 Min ReadFeature Stories
Translation: 日本語

Symantec Behavioral Isolation: Security Against Sophisticated Attackers

Proactively eliminate potential attack pathways via custom attack surface reduction

Ensuring your company is secure can seem like an overwhelming job today.  Headlines are full of stories with words like: SolarWinds, Ransomware, Insider Threats and Phishing - the stakes couldn’t be higher. Symantec, as a division of Broadcom, recognizes these challenges, and provides solutions and products to help protect the Enterprise.

Over the past few years, Symantec has observed a shift in the threat landscape towards targeted attacks utilizing increasingly sophisticated techniques.  These include a wide range of living-off-the-land tactics with attackers taking advantage of native applications, tools and services already present on targeted systems. This allows the attackers to achieve their goals without needing to create and deploy their own binary files on disk— operating fileless, so to speak—or to blend in with the daily work of a system administrator who uses the same dual-use tools. Given this, it is critical to lock down trusted applications and dual-use tools so that they are allowed to only exhibit behaviors that are deemed legitimate for your company’s needs using Behavioral Isolation.

Behavioral Isolation provides the visibility needed to make informed decisions regarding which behaviors can be blocked safely within your enterprise without loss of user productivity or negatively impacting business operations.

Behavioral Isolation utilizes machine learning on Symantec’s global threat telemetry to identify behaviors exhibited by cyber security threats that may appear legitimate under certain circumstances and hence evade traditional protection technologies. Additionally, it will monitor a company’s environment over a period of time, learning whether these behaviors are common for the specific company, understanding the impact of potentially blocking them and allowing the administrator to manage these behaviors accordingly.

Behavioral Isolation provides the visibility needed to make informed decisions regarding which behaviors can be blocked safely within your enterprise without loss of user productivity or negatively impacting business operations. This results in effective attack surface reduction that is unique to your company, making it increasingly difficult for attackers to move laterally and manifest their attack.

Behavioral Isolation takes a three-pronged approach to neutralizing malicious attacks by:

  1. Identifying app behavior that is potentially risky based on continuous analysis of our global telemetry
  2. Gaining better visibility of the environment and enabling improved policy management of the identified risky behaviors
  3. Reducing the potential attack surface by blocking behavior that is uncommon and allowing behaviors that are common to take place with or without monitoring

The basis upon which Symantec derives its strength in behavioral isolation is from telemetry captured from its Global Intelligence Network (GIN), one of the world’s largest civilian security threat intelligence networks. Symantec’s GIN has gathered information from 175,000,000 endpoints and more than 126,000,000 attack sensors to combat attacks and isolate improper actions from potential security breaches. Corporate confidence in Symantec’s expertise can be seen in the fact that we serve 90% of the Fortune 50 companies, and eight out of every 10 companies in the Fortune 500.

As of December 2020, only a relative few of the SolarWinds customers affected had an active attacker in their networks, but every one of those customers remained compromised by the Sunburst incident.

One of the most-notable sophisticated targeted attacks of late is the Sunburst/SolarWinds attack of 2020. Approximately 18,000 SolarWinds customers, including 100 that were also Symantec customers, had their networks breached by a Trojan downloaded into their supply chain operations. As of December 2020, only a relative few of the SolarWinds customers affected had an active attacker in their networks, but every one of those customers remained compromised by the Sunburst incident. The Sunburst attack leverages several "living off the land" tactics and techniques.

Behavioral Isolation includes 4 different application behaviors that were utilized during the Sunburst attack. Setting any of these behaviors to “deny” will break the attack chain. These behaviors are:

  • Wscript launching rundll32
  • WMI launching rundll32
  • Powershell launching an encoded command
  • Rundll32 creating a non-PE executable

While attackers may use only a few behaviors to launch an attack, Symantec has identified more than 180 distinctive activities.  Seventy of them are most commonly utilized in attacks.

Symantec looks specifically for the outlier behavior that under normal circumstances is rarely, if ever used, and shuts down that pathway. This blocking of specific actions from otherwise trusted processes can break the chain of an attack and also increase the awareness of what to look for in potential attacks.  The set of behaviors exposed through the feature is continuously updated based on the evolution of the threat landscape.

With Symantec’s new Behavioral Isolation capabilities, security teams can take the steps necessary to contain an attacker’s attack efforts and shrink the potential attack battlefield. And fortunately for enterprises across the globe, Symantec is helping to change the rules of the game for attackers.

Symantec Enterprise Blogs
Webinar

Getting Hit with Targeted Attacks? Symantec Endpoint Behavioral Isolation

With the recent rise of targeted attacks, attack surface reduction has become a critical part of every company's cyber security strategy. This powerful security technique uses intelligent rules to block attackers seeking to paralyze critical operations.

Watch Now
Symantec Enterprise Blogs
You might also enjoy
5 Min Read

Sunburst: Supply Chain Attack Targets SolarWinds Users

A number of Symantec customers affected by wide-ranging trawl for potential targets of interest.

About the Author

Mark Gentile

Chief Architect, Enterprise Endpoint Security Solutions

Mark is Chief Architect for Enterprise Endpoint Security Solutions, with overall technical responsibility for Symantec's flagship Endpoint Security offerings. He is the former CEO and founder of Odyssey Software, acquired by Symantec.

About the Author

Aryiro Toan

Product Management Lead, Enterprise Endpoint Security Solutions

Aryiro is a Product Management Lead for Symantec Enterprise Security with a focus on protection efficacy and emerging security technologies. She joined Symantec in 2008 as a software engineer focusing on machine learning and data analytics.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.